[Jaxryley]

Another sample.
SI3112r.sys - 4/ 40 (10.0%) - MD5 : c09be54c50a1554e041ccf0217507d46
http://www.virustotal.com/file-scan/rep ... 1282952316

SI3112r.rar

(63.44 KiB) Downloaded 107 times

[EP_X0FF]

Heh, under win7 x64 the user still needs to accept to run the threat as admin.

How about infinite loop with UAC messages, when you have to press "Yes" or reset to get rid of it? :)

[CloneRanger]

@ Meriadoc

Does Prevx have 64 bit support?

Yes it does

Fully compatible with the following Windows operating systems:
98, XP, VISTA, 2000, 2003, 2008 and Windows 7 (All versions - 32/64bit)

http://info.prevx.com/downloadprevx.asp

[CloneRanger]

MBRguard by Blue Ridge Networks

Anybody tried using this with some of the nasty stuff ?

Did/does it work as advertised, if so on which nasties ?

If it can help protect the MBR then it's worth having. I've had it installed for a while just as a precaution, why not it's free ;) It hasn't had a negative affect on anything, as far as i can tell. I havn't run any MBR nasties though, so i can't vouch for it's effectiveness, or otherwise.

*

Supported operating systems:

* Windows XP SP2/SP3 32-bit
* Windows Vista SP0/SP1 32-bit
* Windows 7, 32-bit

http://www.blueridgenetworks.com/suppor ... bguard.php

[bytejammer]

@ Meriadoc

Does Prevx have 64 bit support?

Yes it does

Fully compatible with the following Windows operating systems:
98, XP, VISTA, 2000, 2003, 2008 and Windows 7 (All versions - 32/64bit)

http://info.prevx.com/downloadprevx.asp

To my knowledge, Prevx 3 has never been able to detect and remove any TDL3.

If during a scan Prevx reports an infection caused by tdlcmd.dll or z00clicker.dll, please contact Prevx technical support. Our technicians will help our customers to get rid off of the TDL3 infection.

Source: http://www.prevx.com/blog/143/BSOD-afte ... ogize.html

I use Prevx since it is light and fast.

[EP_X0FF]

MBRguard by Blue Ridge Networks

Anybody tried using this with some of the nasty stuff ?

Useless stuff.

[CloneRanger]

@ bytejammer

I can't reliably comment about the capability, or otherwise, of Prevx and TDL3 etc, as i havn't tested it. As you rightly show, they will help people to get rid of it/them. It "might" be that it's just some variants that aren't auto detected ?

Even if people don't have a paid version they will help them remove ALL MBR nasties for FREE :)

[CloneRanger]

@ EP_X0FF

Useless stuff.

Really, well there goes the neighborhood then

Are you saying it won't protect against any MBR infection, or just the latest stuff ?

[CloneRanger]

Unsigned drivers in X64

OK so these new nasties are able to circumvent the enforcement of only being able to install/load signed drivers.

As ONLY signed drivers are supposed to be installed/loaded/running, what happens if you run a search for drivers with these loaded. Does it show them as signed/trusted, or just not see them ?

If they do show up can they be disabled on the fly ?

Also could they have their name changed to for eg, from whatever.sys to whatever.sysz then a fake whatever.sys dropped into the drivers folder to prevent it from running again ? See my Zip - PW = whatever

This could be a temporary solution whilst a better fix arrives, or ?

Just a few ideas, so don't scream at me

EDIT - Spelling

[EP_X0FF]

This TDL loads it code from disk sectors, not from "files" in usual Windows manner. It loads itself, get control over boot process and then uses dll injection for payload.
When it gets control in privileged mode, it can do whatever it want and nothing can help. What it can do depends only on a TDL authors skills. Do not sit with maximum possible rights, even on x64 if you can't manage with your computer in case of infection. All this 3rd party hooking stuff ala security through obscurity is nonsense and looks like same malware just legalized and mostly paid.